NTP BUG 3012: Sybil vulnerability: ephemeral association attack

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p7 26 Apr 2016
References Bug 3012 CVE-2016-1549
Affects All ntp-4 releases up to, but not including 4.2.8p7,
and 4.3.0 up to, but not including 4.3.92.
Resolved in 4.2.8p7 with significant additional protections for this issue in 4.2.8p11.
CVSS2 Score LOW 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3 Score MED 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer – i.e. one where the attacker knows the private symmetric key – can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim’s clock.


Mitigation


Credit

This weakness was discovered by Matthew Van Gundy of Cisco ASIG.